Posted!

Join the Conversation

Comments

This conversation is moderated according to USA TODAY's
community rules.
Please read the rules before joining the discussion.

Data breach case: No harm, no foul

Jack Greiner
Published 1:56 p.m. ET June 28, 2018

John C. Greiner, attorney for Graydon Head Legal Counsel. He's a commercial litigator with an emphasis on communications and media law. He serves on the firm's Appellate Practice Group. (Photo: Provided, Provided)

Jack Greiner is a lawyer with the Graydon law firm in Cincinnati. He represents Enquirer Media in First Amendment and media issues.

A former employee of a health care technology consulting company recently failed in her data breach claim against the company. Ultimately it was a case of no harm no foul.

In November 2017, Jaclyn Moore filed a class action suit against her former employer HighPoint Solutions LLC, and the company’s former human resources manager, Christine Cushman.

Moore’s lawsuit came in response to HighPoint’s widely publicized announcement that Cushman had stolen almost $1 million over a two-year period by using private financial information the company maintained regarding subcontractors. The Pennsylvania District Attorney’s office reported Ms. Cushman used the stolen information to issue herself 45 fraudulent checks. HighPoint said that it was the only victim in the theft and no client, employee, or subcontractor bank account ever received or had any funds withdrawn.

But Moore alleged HighPoint and Cushman failed to secure her personally identifying information. And she asked the court to certify the case as a class action, on behalf of former employees, agents, subcontractors, services providers, customers and their families who were also victimized. Moore’s claims against HighPoint included breach of fiduciary duty, intrusion upon seclusion, breach of implied contract, negligence, and violation of the New Jersey Computer Related Offenses Act.

But Moore ran into an obstacle that many plaintiffs experience in data breach cases. The Court held that Moore failed to produce any evidence that she actually sustained a concrete injury resulting from the defendants’ conduct. Specifically, she couldn’t prove Cushman even accessed her personal identifying information, much less that anyone misused the data in any way.

The best argument Moore could muster was that Cushman’s criminal conduct increased the risk that she would experience identity theft. But an increased risk is not a concrete injury. It is merely a possibility. That meant Moore’s case had no possibility of success.